Neste post vou demonstrar como fazer uma instalação a partir do zero, sem ser por svn e sim por packages.
Antes, no entanto, é preciso concluir a instalação do Debian 7 com alguns pacotes necessários para compilar e executar OpenVAS 6.
$ sudo apt-get install nsis alien rpm texlive-latex-extra libqt4-dev g++ libmicrohttpd-dev libxml2-dev libxslt1-dev libxml2-dev libsqlite3-dev doxygen sqlfairy xmltoman sqlite3 gcc make cmake pkg-config libssh-dev gnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libmicrohttpd5 -y
Depois, precisamos baixar os packages do Openvas6.
$ wget http://wald.intevation.org/frs/download.php/1159/openvas-libraries-5.0.3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1092/openvas-scanner-3.3.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1112/openvas-manager-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1140/openvas-administrator-1.2.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1116/greenbone-security-assistant-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1084/gsd-1.2.2.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1131/openvas-cli-1.1.5.tar.gz
E na sequencia:
1 openvas-libraries
2 openvas-scanner
3 openvas-manager
4 openvas-administrator
5 gsad (greenbone-security-assistant)
6 gsd (greenbone-security-desktop)
7 openvas-cli
1 openvas-libraries
# tar xzvf openvas-libraries-5.0.3.tar.gz
# cd openvas-libraries-5.0.3/
# cmake .
– Configuring the Libraries…
– Install prefix: /usr/local
– checking for module ‘wmiclient>=1.3.14′
– package ‘wmiclient>=1.3.14′ not found
– checking for module ‘libssh>=0.4.5′
– package ‘libssh>=0.4.5′ not found
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for libldap…
– No ldap library found – ldap support disabled
– Did not find libssh via pkg-config, trying alternative approach …
– Found libssh 0.4.5.
– Looking for uuid…
– Looking for uuid… /usr/lib/libuuid.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-libraries-5.0.3
# make install
# cd ..
2 openvas-scanner
# tar xzvf openvas-scanner-3.3.1.tar.gz
# cd openvas-scanner-3.3.1/
# cmake .
– Configuring the Scanner…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-scanner-3.3.1
# make
# make install
# cd ..
3 openvas-manager
# tar xzvf openvas-manager-4.0+beta3.tar.gz
# cmake .
– Configuring the Manager…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Looking for SQLFairy…
– Looking for SQLFairy… /usr/bin/sqlt-diagram, /usr/bin/sqlt
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-manager-4.0+beta3
# make
# make install
# cd ..
4 openvas-administrator
# tar xzvf openvas-administrator-1.2.1.tar.gz
# cd openvas-administrator-1.2.1/
# cmake .
– Configuring the OpenVAS Administrator…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-administrator-1.2.1
# make
# make install
# cd ..
5 gsad (greenbone-security-assistant)
# tar xzvf greenbone-security-assistant-4.0+beta3.tar.gz
# cd greenbone-security-assistant-4.0+beta3/
# cmake .
– Configuring greenbone-security-assistant…
– Looking for pkg-config… /usr/bin/pkg-config
– Install prefix: /usr/local
– External XSL transformations, with xsltproc.
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/greenbone-security-assistant-4.0+beta3
# make
# make install
# cd ..
6 gsd (greenbone-security-desktop)
# tar gsd-1.2.2.tar.gz
# cd gsd-1.2.2
# cmake .
– Configuring gsd …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/gsd-1.2.2
# make
# make install
# cd ..
7 openvas-cli
# tar xzvf openvas-cli-1.1.5.tar.gz
# cd openvas-cli-1.1.5
# cmake .
– Configuring openvas-cli …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-cli-1.1.5
# make
# make install
# cd ..
Quando a instalação estiver completa, vamos configurar OpenVAS 6, atualizar primeiro o banco de dados com todos os testes e plugins de vulnerabilidades (NVT):
# openvas-nvt-sync
[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /usr/local/var/lib/openvas/plugins
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed
OpenVAS feed server – http://openvas.org/
This service is hosted by Intevation GmbH – http://intevation.de/
All transactions are logged.
Please report problems to admin@intevation.de
receiving incremental file list
[…]
Vamos gerar um usuário com privilégios de administrador (para o OpenVAS, não do SO):
# openvasad -c ‘add_user’ -n admin –role=Admin
Enter password: <digite uma senha segura aqui>
Como OpenVAS protege a comunicação entre o scanner e o cliente usando SSL, você deve gerar os certificados usando o script openvas-mkcert que gera uma autoridade de certificação (se já não estiver lá) e o certificado do lado do scanner. Neste caso, ele vai configurar um CA da Alemanha, com informações do projeto OpenVAS e GreenBone (uma das empresas que tem serviços profissionais e pagos, além de contribuir com a comunidade open source com código-fonte e plugins).
# openvas-mkcert
/usr/local/var/lib/openvas/private/CA created
/usr/local/var/lib/openvas/CA created
——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]:
Your state or province name [none]:
Your location (e.g. town) [Berlin]:
Your organization [OpenVAS Users United]:
——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-
Congratulations. Your server certificate was properly created.
The following files were created:
. Certification authority:
Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem
. OpenVAS Server :
Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem
Press [ENTER] to exit
Agora vamos gerar o CA no lado do client:
# openvas-mkcert-client -n om -i
Generating RSA private key, 1024 bit long modulus
……………..++++++
…….++++++
e is 65537 (0×10001)
[…]
Vamos inicializar o scanner, pode demorar alguns minutos para carregar todos os plugins de vulnerabilidades – NVT.
# openvassd
Depois de ter concluído o carregamento dos plugins, precisamos para reconstruir o banco de dados com o openvas-manager, para isso, usamos os seguintes comandos:
# touch /usr/local/var/lib/openvas/mgr/tasks.d
# openvasmd –backup
# openvasmd –rebuild
O Openvas 6 usa nmap 5.51:
# wget http://nmap.org/dist/nmap-5.51.6.tgz
# tar xzvf nmap-5.51.6.tg
# cd nmap-5.51.6
# ./configure
# make
# make install
Precisamos verificar se a versão é correta do NMAP:
# nmap -V
Nmap version 5.51.6 ( http://nmap.org )
Agora, vamos inicializar o Openvas modo Administrador:
# openvasad
E depois, vamos inicializar o Openvas modo Manager:
# openvasmd
Também vamos inicializar o GSA (greenbone-security-assistant) para administrar nossa instalação OpenVAS6:
# gsad –http-only –listen=0.0.0.0 -p 9392
Verificando se foi instalado corretamente, através deste script:
# chmod 755 openvas-check-setup
# ./openvas-check-setup –v6
[…]
Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.3.1.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 28194 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 4.0+beta3.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 58.
OK: OpenVAS Manager expects database at revision 58.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 28194 NVTs.
OK: xsltproc found.
Step 3: Checking OpenVAS Administrator …
OK: OpenVAS Administrator is present in version 1.2.1.
OK: At least one user exists.
OK: At least one admin user exists.
Step 4: Checking Greenbone Security Assistant (GSA) …
OK: Greenbone Security Assistant is present in version 4.0+beta3.
Step 5: Checking OpenVAS CLI …
OK: OpenVAS CLI version 1.1.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
OK: Greenbone Security Desktop is present in Version 1.2.2.
Step 7: Checking if OpenVAS services are up and running …
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: OpenVAS Administrator is running and listening on all interfaces.
OK: OpenVAS Administrator is listening on port 9393, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation …
OK: nmap is present in version 5.51.6.
Step 9: Checking presence of optional tools …
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.[…]
Vamos conectar à porta 9392 via browser, através da URL http://localhost:9392:
E por último, ter acesso ao nome de usuário e senha previamente criado no OpenVAS6.
Referências:
http://www.openvas.org/
http://www.openvas.org/setup-and-start.html
http://www.debian.org/
VSLA - Virtual Security Labs Anywhere 